GNU bug report logs -
#31935
2 crashes in diffutills commit version 576645c
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31935 in the body.
You can then email your comments to 31935 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-diffutils <at> gnu.org
:
bug#31935
; Package
diffutils
.
(Fri, 22 Jun 2018 14:35:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Hongxu Chen <leftcopy.chx <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-diffutils <at> gnu.org
.
(Fri, 22 Jun 2018 14:35:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello,
We found with our fuzzer 2 crashes on diffutils version 576645c: one is
a heap-buffer-overflow at util.c:1249, another is an invalid read resulting
from `output_1_line' at util.c:1274.
The executing command is: `./diff -a --strip-trailing-cr $file
add.wasm` where $file is the poc file (I attached them as *.input.txt);
"add.wasm" is also attached however it seems that content of the comparison
file is not important.
The Address Sanitizer outputs (attached as "*.err.SIG06") are:
=================================================================
==8310==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000000ff at pc 0x00000055108a bp 0x7ffdc5af8650 sp 0x7ffdc5af8648
READ of size 1 at 0x6210000000ff thread T0
#0 0x551089 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44
#1 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
#2 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
#3 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
#4 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
#5 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
#6 0x7f7a0e14fb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)
0x6210000000ff is located 1 bytes to the left of 4096-byte region
[0x621000000100,0x621000001100)
allocated by thread T0 here:
#0 0x4d2d60 in malloc
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x4d2d60)
#1 0x583120 in xmalloc
/home/hongxu/FOT/diffutils-fuzz/lib/xmalloc.c:41:13
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44 in print_1_line_nl
Shadow bytes around the buggy address:
0x0c427fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c427fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8310==ABORTING
and:
ASAN:DEADLYSIGNAL
=================================================================
==8313==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000100d4 (pc
0x7f367ca57c40 bp 0x000000000400 sp 0x7ffeebd7e358 T0)
==8313==The signal is caused by a READ memory access.
#0 0x7f367ca57c3f
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
#1 0x7f367c954993 in _IO_file_xsputn
/build/glibc-OTsEL5/glibc-2.27/libio/fileops.c:1258
#2 0x7f367c95351f in fwrite_unlocked
/build/glibc-OTsEL5/glibc-2.27/libio/iofwrite_u.c:43
#3 0x551dc4 in output_1_line
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1274:28
#4 0x550d24 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:3
#5 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
#6 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
#7 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
#8 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
#9 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
#10 0x7f367c8eab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
==8313==ABORTING
glibc version is 2.27 and it's a Ubuntu 18.04 LTS (Linux C10
4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64
x86_64 GNU/Linux) machine.
Best Regards,
Hongxu
[Message part 2 (text/html, inline)]
[hbo_util.c:1249_1.input.txt (text/plain, attachment)]
[hbo_util.c:1249_2.input.txt (text/plain, attachment)]
[hbo_util.c:1249_2.err.SIG06 (application/octet-stream, attachment)]
[hbo_util.c:1249_1.err.SIG06 (application/octet-stream, attachment)]
[read_util.c:1274:28_1.err.SIG06 (application/octet-stream, attachment)]
[read_util.c:1274:28_1.input.txt (text/plain, attachment)]
[read_util.c:1274:28_2.err.SIG06 (application/octet-stream, attachment)]
[read_util.c:1274:28_2.input.txt (text/plain, attachment)]
[add.wasm (application/octet-stream, attachment)]
Information forwarded
to
bug-diffutils <at> gnu.org
:
bug#31935
; Package
diffutils
.
(Sat, 29 Dec 2018 01:14:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 31935 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Jun 22, 2018 at 7:49 AM Hongxu Chen <leftcopy.chx <at> gmail.com> wrote:
> We found with our fuzzer 2 crashes on diffutils version 576645c: one is a heap-buffer-overflow at util.c:1249, another is an invalid read resulting from `output_1_line' at util.c:1274.
> The executing command is: `./diff -a --strip-trailing-cr $file add.wasm` where $file is the poc file (I attached them as *.input.txt); "add.wasm" is also attached however it seems that content of the comparison file is not important.
Thank you for fuzz-testing diffutils.
FYI, here is a reproducer for the limit[-1]-related UMR bugs:
valgrind src/diff -a --strip-trailing-cr <(printf '\r') <(echo a)
I've attached a patch:
[diffutils-UMR.diff (application/octet-stream, attachment)]
Information forwarded
to
bug-diffutils <at> gnu.org
:
bug#31935
; Package
diffutils
.
(Sat, 29 Dec 2018 01:38:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 31935 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Dec 28, 2018 at 5:13 PM Jim Meyering <jim <at> meyering.net> wrote:
>
> On Fri, Jun 22, 2018 at 7:49 AM Hongxu Chen <leftcopy.chx <at> gmail.com> wrote:
> > We found with our fuzzer 2 crashes on diffutils version 576645c: one is a heap-buffer-overflow at util.c:1249, another is an invalid read resulting from `output_1_line' at util.c:1274.
> > The executing command is: `./diff -a --strip-trailing-cr $file add.wasm` where $file is the poc file (I attached them as *.input.txt); "add.wasm" is also attached however it seems that content of the comparison file is not important.
>
> Thank you for fuzz-testing diffutils.
> FYI, here is a reproducer for the limit[-1]-related UMR bugs:
>
> valgrind src/diff -a --strip-trailing-cr <(printf '\r') <(echo a)
>
> I've attached a patch:
That patch was provably incomplete.
I ran this (adding -u to the above) and found one new UMR. Guarding
yet another [-1] reference fixes it.
There are still numerous unguarded [-1] references, so this updated
patch is doubtless still incomplete:
for i in hbo*; do echo $i; valgrind --quiet src/diff -u -a
--strip-trailing-cr $i add.wasm > /dev/null; echo $?; done
[diffutils-UMR.diff (application/octet-stream, attachment)]
Information forwarded
to
bug-diffutils <at> gnu.org
:
bug#31935
; Package
diffutils
.
(Sat, 29 Dec 2018 03:12:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 31935 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Jim Meyering wrote:
> There are still numerous unguarded [-1] references, so this updated
> patch is doubtless still incomplete:
The real bug was elsewhere, I think. I installed the attached patch. This patch
lacks your test case, which didn't work for me because there is no
require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some
other location?
[0001-diff-fix-UMR-with-strip-trailing-cr.patch (text/x-patch, attachment)]
Information forwarded
to
bug-diffutils <at> gnu.org
:
bug#31935
; Package
diffutils
.
(Sat, 29 Dec 2018 05:09:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 31935 <at> debbugs.gnu.org (full text, mbox):
On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
>
> Jim Meyering wrote:
> > There are still numerous unguarded [-1] references, so this updated
> > patch is doubtless still incomplete:
>
> The real bug was elsewhere, I think. I installed the attached patch. This patch
> lacks your test case, which didn't work for me because there is no
> require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some
> other location?
Thanks. Nice patch.
I've pushed the two test-related patches.
Reply sent
to
Jim Meyering <jim <at> meyering.net>
:
You have taken responsibility.
(Sat, 29 Dec 2018 07:16:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Hongxu Chen <leftcopy.chx <at> gmail.com>
:
bug acknowledged by developer.
(Sat, 29 Dec 2018 07:16:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 31935-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Dec 28, 2018 at 9:20 PM Jim Meyering <jim <at> meyering.net> wrote:
>
> On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
> >
> > Jim Meyering wrote:
> > > There are still numerous unguarded [-1] references, so this updated
> > > patch is doubtless still incomplete:
> >
> > The real bug was elsewhere, I think. I installed the attached patch. This patch
> > lacks your test case, which didn't work for me because there is no
> > require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some
> > other location?
>
> Thanks. Nice patch.
> I've pushed the two test-related patches.
I noticed that the new test would fail when built with ASAN, so will push this:
[umr-test-vs-asan.diff (application/octet-stream, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 26 Jan 2019 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 89 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.